[Samba] Spurious auth failures with 2.5S3 + wb_ntlm

steve b samba at f.copacetic.net
Wed Jun 4 18:03:45 GMT 2003 

Greetings:

I am in the process of setting up ntlm-based user authentication with
Squid.  Following the various instructions available in the FAQ and on the
mailing list, I have what appears to be a functioning setup: I can use
`wbinfo' to authenticate successfully, and Squid works as configured,
logging my authenticated username into the logs.  However, after what
appears to be a random amount of time into a browsing session, I begin
to get authentication failures that cause a "Login" window to pop up.
Restarting winbindd with debugging turned on shows a string of successful
credential checks, followed by failures:

[2003/06/04 10:14:29, 5]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(213)
  NTLM CRAP authentication for user [MYGROUP]\[STEVE] returned
NT_STATUS_OK (PAM: 0)

... a bunch of these, followed by a string of:

[2003/06/04 10:16:41, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(213)
  NTLM CRAP authentication for user [MYGROUP]\[STEVE] returned
NT_STATUS_WRONG_PASSWORD (PAM: 4)

What's strange is that a page will almost load up to completion, but then
things will grind to a halt with a password prompt when trying to load up
a random image on the page.

I am running 2.5S3 and Samba 2.2.8a on a Solaris 8/SPARC machine.  The PDC
is running Windows 2000+SP3.  I have witnessed this behaviour occuring
with IE 5.5 & 6 running on Win98, 2000 and XP.

Relevant parts of the configuration files:

== squid.conf ==
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

== smb.conf ==
workgroup = MYGROUP
password server = MYPDC
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes

$ ./wbinfo -a MYGROUP\\steve%password
plaintext password authentication succeeded
challenge/response password authentication succeeded


Any help would be greatly appreciated.  I can easily turn up the debug
level on winbindd to capture more detail if it'll help.

Thank you,
Steve

More information about the samba mailing list